Re: Compromised Win2000 machine.

From: H C (keydet89at_private)
Date: Wed May 29 2002 - 13:37:47 PDT

  • Next message: Brett Glass: "Re: odd scans?"

    Since fport.exe isn't native to any MS system, you'd
    have to get it from the 'net someplace.  The thing to
    do (and I do this in the IR course I teach) would be
    to burn your tools to a CD.  If you can't do that,
    then you can put them on a diskette and write-protect
    --- Mark Newby <markat_private> wrote:
    > H C wrote:
    >  > [...]
    > > Danny took the typical action seen of most
    > > admins...port scanning the system from the
    > outside,
    > > and comparing the open ports to lists of known
    > trojans
    > > and services.  This is inconclusive at best, and
    > leads
    > > to a lot of speculation and time-wasting.  Better
    > to
    > > run fport on the system (if NT/2K...if the system
    > is
    > > XP, run netstat w/ the '-o' switch) instead, to
    > see
    > > the process to port mapping.
    > > [...]
    > ...but I thought the advice for a (possibly)
    > compromised box was *not* 
    > to run executable programs that resided on that
    > host, as they can't be 
    > trusted?
    > mark
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 13:52:56 PDT